Kees Cook wrote:> If all I cared about was the default Ubuntu distro, I wouldn't forward> these patches at all. As it turns out, I care about all kinds of> configurations, e.g. people using SELinux on Ubuntu, AppArmor on SUSE,> no LSM on Fedora, grsecurity on Gentoo, or TOMOYO on Debian. There are> all kinds of combinations, obviously, and I'm interested in making this> stuff available to anyone and everyone.

Security modules supported by distributor's kernels are one of benchmarks forLinux users when deciding distro to use. But it is just one of benchmarks.Linux users do not decide distro only with security modules supported bydistributor's kernels. Linux users choose distro with various benchmarks.

> The "just use SELinux" reply is tiresome. If "everyone" used SELinux,> there wouldn't be at least 3 other LSMs under active development.

SELinux indeed has many functionalities. But SELinux cannot provide ability toperform restriction based on pathnames. "SELinux can do everything" is wrong.

If there were an all-in-one application that supports web browsing, mail,writing, music, chat, scheduler etc., will "everyone" use that all-in-oneapplication? At least, I won't use it because it is too complicated to use.

I use X-desktop only when I need to use. I use SSH terminal if I can achievewhat I want to do. I'm not happy with spending my time for understanding how toconfigure X-desktop.

Being unable to configure SELinux by Linux users leads to SELinux beingunavailable for Linux users. If something is blocked by SELinux, Linux userssimply set SELINUX=disabled in /etc/selinux/config rather than finding how toconfigure SELinux because they don't know what functionalities are provided bySELinux and which configuration is wrong.

Linux users are seeking for solutions that they can understand and configureby themselves.

> The PTRACE, symlink, and other stuff are features people want. If the> point of your argument is that the logic and configuration for each> of these features should be added to every LSM, that's not sensible.> An end user should be able to pick and choose what they want. If I> create the security/hideous/ LSM tree, it would _exclude_ the ability to> use TOMOYO or Smack or SELinux or AppArmor.

I have strong complaint about closed nature of LSM community. I believe Linuxkernel's duty is to serve userspace applications and Linux users. But wheneverdiscussion about access control arises, the conclusion comes from Linux kerneldeveloper's viewpoint rather than Linux user's viewpoint; i.e. "You can do itusing SELinux (or netfilter or whatever in-tree code). Thus spend your time forunderstanding how to configure it". But that is too difficult for Linux users.

No LSM module can provide all functionalities. When users want to introduce asecurity mechanism that provides specific functionalities, LSM is the onlychoice. This forces users to give up other security mechanisms that providedifferent functionalities because LSM is exclusive.Windows users are picking and choosing what they want for security, and areexperiencing what combinations are good and what combinations are bad at theirown risk. But Linux users can't because LSM developers complain conflicts anddeprive Linux users of chances for experiencing what combinations are good andwhat combinations are bad.

LSM modules can't be loaded upon runtime since 2.6.24. 2.6.24 strengthened thebarrier for Linux users when they want to choose different security modulebecause replacing vmlinux is a very very high barrier.Linux is behind Windows regarding security hooks.Linux kernel's duty is to serve userspace applications and Linux users, no?Why not to provide Linux users ability to pick and choose what they want attheir own risk (rather than complaining conflicts forever)?